asyncrat | 7c1dc593cfe04914f6b5eb1a1536d66defbffa4dbc195577ee7b0a9771afad63 | Triage

Sharing

General

Target

82938_JA9D.exe
Size

2.0MB
Sample

240523-wk2yyabb5t
MD5

0ec6f24ef39263d05158ce81351aa00a
SHA1

0ae0b2a3c73064f0beee8cddbd43f99fd2ff671c
SHA256

7c1dc593cfe04914f6b5eb1a1536d66defbffa4dbc195577ee7b0a9771afad63
SHA512

115314c7c604259b5d76e13f7d76345edc3e224405e3b64e9323d09be8c64b6ee4b762381ac95d6d177124645d7a5ab142ef8f06c05e836c62d7f9fd90a46b67
SSDEEP

24576:vAscJcmmLquAp2upDoelBp+xMYoZzDE1Vi1ETDnUo8asVItRIxabiefs177gk1zZ:vADcmmL8seb4wxY1o108XaR4WigU2

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

94.156.65.172:4449

Mutex

izslwuidilziewad

Attributes

delay
1
install
true
install_file
AntiMalware.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  82938_JA9D.exe
- Size
  
  2.0MB
- MD5
  
  0ec6f24ef39263d05158ce81351aa00a
- SHA1
  
  0ae0b2a3c73064f0beee8cddbd43f99fd2ff671c
- SHA256
  
  7c1dc593cfe04914f6b5eb1a1536d66defbffa4dbc195577ee7b0a9771afad63
- SHA512
  
  115314c7c604259b5d76e13f7d76345edc3e224405e3b64e9323d09be8c64b6ee4b762381ac95d6d177124645d7a5ab142ef8f06c05e836c62d7f9fd90a46b67
- SSDEEP
  
  24576:vAscJcmmLquAp2upDoelBp+xMYoZzDE1Vi1ETDnUo8asVItRIxabiefs177gk1zZ:vADcmmL8seb4wxY1o108XaR4WigU2
Score

10^/10

asyncrat default discovery execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratdefaultdiscoveryexecutionrat